Promoting a Domain Controller over an IPSEC VPN

By Jonesy • May 15th, 2006 • Category: Windows 2K3 Server

Over the weekend I was involved in Joining a Windows 2003 server in the US to our domain here in Sydney over an IPSEC VPN. Due to MTU limitations imposed by the T1 connection, and the additional overhead of the ipsec encryption, it seemed that machines could join the domain, but when we tried to promote a machine to a Domain Controller, it failed every time.

It seemed to be a packet size issue, due to the low MTU (1410). This article from microsoft describes the problem:

http://support.microsoft.com/?kbid=244474

I’ll quote the section which describes the issue and the fix;

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1.     Start Registry Editor.
2.     Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters

Note If the Parameters key does not exist, create it now.
3.     On the Edit menu, point to New, and then click DWORD Value.
4.     Type MaxPacketSize, and then press ENTER.
5.     Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.     Quit Registry Editor.
7.     Restart your computer.

This was a much better solution than building the DC in Sydney, and then shipping it over!

-Jonesy

Related posts:

  1. JRNL_WRAP_ERROR on Single Domain Controller environment


FREE NEWSLETTER -> Want Tech Tips Sent Straight to your Inbox?

Grab our Newsletter to Ensure your PC is Running Smooth!

Jonesy is currently working for a wireless ISP as Senior Network Operations Engineer. He has several years of experience in Systems Administration and Network Administration and Design, with a particular interest in Linux and IP networking.
Email this author | All posts by Jonesy

Leave a Reply